Mark Allison
2012-Aug-19 15:49 UTC
Configuring traffic control with Shorewall 4.5.6.2 on CentOS 6.3
Hi, I have just created a new linux firewall for home use with CentOS 6.3 x64 minimal install and the following: Shorewall (2 interface) Dansguardian Squid I also have DHCPd and BIND9 running on there. It looks something like this http://i.imgur.com/t0LTi.png I would like to implement a simple traffic control and I''ve thought of two possible configs: 1) 10.0.0.50 (my PC) has guaranteed bandwidth of 1mbit. I also want to limit total download bandwidth to a group of sites defined as video sites (e.g. youtube.com, vimeo.com, etc) to 1mbit across the network. I have spent quite a long time looking for examples on the internet but haven''t found much to help me. 2) give video sites and file downloads low priority over normal web browsing and DNS, instead of limiting them to 1mbit in 1). http://www.ckollars.org/shaping.html did inspire me to think of something like this: ** high priority DNS queries webmail (sites gmail, hotmail) mail ports IMAP POP3 SMTP skype ** normal priority normal web browsing ** low priority bit torrent video websites (youtube.com, vimeo.com, etc) ftp and http downloading of large files I''m really not sure whether I should be using Shorewall simple traffic control or complex traffic control, and I''m not really sure how to configure it. If someone could show me some examples or how I could do it, I''d much appreciate it. My config files shorewall.conf http://pastebin.com/CqchttsF interfaces http://pastebin.com/RCf7NzFP zones http://pastebin.com/mr9hRpSG policy http://pastebin.com/EBRfPV4g rules http://pastebin.com/9mhcmYVV masq http://pastebin.com/sRrKENb1 tcdevices http://pastebin.com/VrYA0024 tcinterfaces http://pastebin.com/dutZUmaR tcpri http://pastebin.com/qddPSxxT Blank config files: tcrules tcclasses tcfilters tos tunnels params If you have any other comments on my config, I would appreciate those too! Thanks, Mark ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep
2012-Aug-20 22:47 UTC
Re: Configuring traffic control with Shorewall 4.5.6.2 on CentOS 6.3
On 08/19/2012 08:49 AM, Mark Allison wrote:> Hi, > > I have just created a new linux firewall for home use with CentOS 6.3 > x64 minimal install and the following: > > Shorewall (2 interface) > Dansguardian > Squid > > I also have DHCPd and BIND9 running on there. > > It looks something like this http://i.imgur.com/t0LTi.png > > I would like to implement a simple traffic control and I''ve thought of > two possible configs: > > 1) 10.0.0.50 (my PC) has guaranteed bandwidth of 1mbit. I also want to > limit total download bandwidth to a group of sites defined as video > sites (e.g. youtube.com, vimeo.com, etc) to 1mbit across the network. > I have spent quite a long time looking for examples on the internet > but haven''t found much to help me. > > 2) give video sites and file downloads low priority over normal web > browsing and DNS, instead of limiting them to 1mbit in 1). > http://www.ckollars.org/shaping.html did inspire me to think of > something like this: > > ** high priority > DNS queries > webmail (sites gmail, hotmail) > mail ports IMAP POP3 SMTP > skype > > ** normal priority > normal web browsing > > ** low priority > bit torrent > video websites (youtube.com, vimeo.com, etc) > ftp and http downloading of large files > > I''m really not sure whether I should be using Shorewall simple traffic > control or complex traffic control, and I''m not really sure how to > configure it. If someone could show me some examples or how I could do > it, I''d much appreciate it.Given that your requirements seem to focus on incoming traffic from particular domains, it will be difficult to meet your needs with Shorewall traffic shaping (simple or complex). - Shorewall''s traffic shaping works at the network layer. So: o It doesn''t know anything about DNS names. o It can''t distinguish between smaller downloads and normal web traffic. o It is only effective for controlling traffic sent through an interface, not for traffic received through an interface. So to regulate traffic from the net, you must either configure an IFB or you need to do your traffic control as traffic is sent out of your local interface. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Benny Pedersen
2012-Aug-21 00:42 UTC
Re: Configuring traffic control with Shorewall 4.5.6.2 on CentOS 6.3
Den 2012-08-21 00:47, Tom Eastep skrev:>> Shorewall (2 interface) >> Dansguardian >> Squiddelay_pools each pool have its own bandwidth limit, but its limited to only protocols that squid supports ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/